From 20f7a2fa0dd243a8932c187afcf67fb5503ee40b Mon Sep 17 00:00:00 2001
From: Ashish Dhingra <67916761+ashishdhingra@users.noreply.github.com>
Date: Wed, 11 Jun 2025 10:46:40 -0700
Subject: [PATCH] Sync main from dev (#219)

* Add dependabot configuration (#216)

* Add Semgrep security scanning workflow (#217)

* chore: Pinned to v1.6.0 of aws-github-ops/handle-stale-discussions so that closed GitHub discussions are not auto-reopened.

---------

Co-authored-by: Garrett Beatty <gcbeatty@amazon.com>
---
 .github/dependabot.yml                        | 13 ++++++
 .../workflows/handle-stale-discussions.yml    |  2 +-
 .github/workflows/semgrep-analysis.yml        | 41 +++++++++++++++++++
 3 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/semgrep-analysis.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..b76d5c8
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,13 @@
+# Set update schedule for GitHub Actions
+
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"
+    labels:
+      - "Release Not Needed"
+    target-branch: "dev"
\ No newline at end of file
diff --git a/.github/workflows/handle-stale-discussions.yml b/.github/workflows/handle-stale-discussions.yml
index bfa00bd..25a7055 100644
--- a/.github/workflows/handle-stale-discussions.yml
+++ b/.github/workflows/handle-stale-discussions.yml
@@ -13,6 +13,6 @@ jobs:
       discussions: write
     steps:
       - name: Stale discussions action
-        uses: aws-github-ops/handle-stale-discussions@711a9813957be17629fc6933afcd8bd132c57254 #v1.6
+        uses: aws-github-ops/handle-stale-discussions@c0beee451a5d33d9c8f048a6d4e7c856b5422544 #v1.6.0
         env:
           GITHUB_TOKEN:  ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml
new file mode 100644
index 0000000..021f0fe
--- /dev/null
+++ b/.github/workflows/semgrep-analysis.yml
@@ -0,0 +1,41 @@
+name: Semgrep
+
+on:
+  # Scan changed files in PRs, block on new issues only (existing issues ignored)
+  pull_request:
+
+  push:
+    branches: ["dev", "main"]
+
+  schedule:
+    - cron: '23 20 * * 1'
+
+  # Manually trigger the workflow
+  workflow_dispatch:
+
+jobs:
+  semgrep:
+    name: Scan
+    permissions:
+      security-events: write
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      # Fetch project source
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+
+      - run: semgrep ci --sarif > semgrep.sarif
+        env:
+          SEMGREP_RULES: >- # more at semgrep.dev/explore
+            p/security-audit
+            p/secrets
+            p/owasp-top-ten
+
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 #v3.28.16 
+        with:
+          sarif_file: semgrep.sarif
+        if: always()